FROST: Flexible Round-Optimized Schnorr Threshold Signatures

Overview

FROST (Flexible Round-Optimized Schnorr Threshold Signatures) is a threshold signature scheme built on Schnorr signatures that allows for “T of N” signers, each of whom hold a share of a private key, to produce a valid signature for that private key. Because of its foundation in Schnorr, it has several interesting characteristics, such as signature aggregation, where a set of signatures look exactly the same as a single signature. Beyond that, FROST improves on the fundamentals of Schnorr through improved network efficiency and protection against forgery attacks.

Why is FROST Important?

Using a Schnorr-enabled signature scheme allows for many advantages including compactness and faster verification as well as the use of signature aggregation, adapter signatures, blind signatures, and threshold signatures. Each of these elements adds vital tools to the toolkit of a signature designer.

Some of the biggest benefits come from the threshold signatures at the heart of FROST, which improve the resilience of digital assets. Traditionally, multisigs or Shamir’s Secret Sharing were used to create this type of resilience, but they each had limitations. Multisigs could become quite large as more signatures were added, while Shamir’s Secret Sharing created vulnerabilities on reconstruction (and also had a history of problematic implementations). FROST resolves size issues with its aggregate signatures (which are always the same size), while the Distributed Key Generation (DKG) methodology creates keys that are never in one place!

How is FROST Better than Extant Technologies?

• Advantages over Bitcoin Multisigs.
  • Better privacy: on-chain footprint is always a single key and a single signature, regardless of configuration
  • Lower fees: redeem scripts are much smaller than script-based multisig
  • Off-chain resharing: repair, refresh, enroll, disenroll, and modify the threshold without moving funds, incurring fees, or exposing private information
• Advantages over Shamir Secret Sharing.
  • No trusted dealer
  • No secret reconstruction

How Does FROST Work?

FROST is fully described in a paper by Chelsea Komlo and Ian Goldberg. Some of the fundamental elements of FROST are:

Schnorr Signatures. A signature scheme based on finite fields rather than prime numbers. Besides being very elegant, Schnorr signatures have numerous other advantages, as discussed in “Musings of a Trust Architect: A Layperson’s Intro to Schnorr”.

Signature Aggregation. One of the advantages of Schnorr signatures it that they can easily be added to or subtracted from each other as part of their finite field operations, creating signature aggregation where all signatures are the same size, no matter how many signatures they contain.

Distributed Key Generation (DKG). One of the core features of FROST is Distributed Key Generation: rather than a key being created, then broken apart to allow for threshold signing with the shares, the shares are instead each created individually. This means that the full key never exists in a single place.

Trusted Dealer Generation. This is the traditional methodology for generating shares, where a key is created then broken apart by a “trusted dealer”. Some FROST implementations such as ZF FROST also support this methodology, creating a bridge between traditional use of Shamir’s Secret Sharing and the use of DKG in FROST.

Verifiable Secret Sharing (VSS). A methodology for verifying the existence of shares without reconstruting a secret. FROST uses a VSS protocol invented by Paul Feldmann.

Videos

FROST/Gordian Overview:

FROST Round Table I:

Links

Intro:

• Understanding FROST (ZF FROST Book)
• A Layperson’s Intro to Schnorr (Blockchain Commons Blog)
• Paper by Chelsea Komlo and Ian Goldberg (Cryptology ePrint Archive)

Developer Resources:

• FROST Implementer’s Round Table I

Developer Reference Libraries:

• ZF FROST (ZF FROST Book)